When we humans get ill, our defenses swing into action to fight
off the invading microbes and the infections they cause.

But computer systems have nothing like the human immune response.
If a malicious virus or worm -- such as this week's "SQL slammer"--
infects them, there's nothing to stop it from doing serious damage.

By the time it was brought under control on Monday, the SQL worm
had snarled Internet traffic worldwide, caused some cash machines
to stop issuing money and knocked most of South Korea offline.

immune system for computers

Researchers at Hewlett-Packard Laboratories in Bristol, UK, have
developed a benign response to attacks that radically slows down
the spread of malicious viruses -- in effect, an immune system for
computers. This week, they tested it against the SQL Slammer worm,
and found it reduced the bug's spread to a crawl in just two-tenths
of a second.

"We were excited to find that the throttle worked even against
a worm like Slammer, which it had not encountered before,"
said researcher Matt Williamson. "We hope this means the technique
will be effective against other unknown threats in the future."

Called virus throttling because it chokes off attacks, the system
was invented by Williamson, Jonathan Griffin, Andy Norman and Jamie
Twycross.

how worms work

Worms attempt to spread by connecting to many different machines
as fast as they possibly can. Slammer, for instance, attempts to
connect to up to 850 new machines each second, while Nimda attempts
to make 400 new connections a second.

In normal uninfected use, our computers don't behave like this.
They tend to connect to only a few different computers at a time,
and these will usually be to machines that your computer has already
contacted before.

The researchers realized that they could slow down the spread of
a virus from an infected machine by strictly limiting the number
of connections it attempts to make. The result was the virus throttle,
which restricts connections to just one new computer a second.

Normal usage is unaffected by this rate limiter. When a virus
attacks, it will attempt to make many connections at a high rate.
These will be slowed by the rate limiter. The backlog of connections
grows quickly, allowing the virus to be detected easily and further
propagation stopped.

virus spread slowed

"The technology does not prevent an individual machine becoming
infected, but it can keep the virus from spreading to many others,"
says Williamson. "Since a machine that is infected, but throttled,
isn't spreading the virus any more, the overall speed of infection
is reduced. Also, since there are fewer machines actively spreading
the virus, the load on network infrastructure -- routers for instance
-- is reduced."

So far there is no indication that the system slows down a computer
that is acting normally. The researchers have run the throttle on
their own computers for three months with no obvious effect on performance.

This is an altruistic approach to cyber disease control. Just as
with the mass vaccination of children against common diseases, the
aim is to protect the larger community from illness as much as the
individual.

Griffin explained that another important benefit is that throttling
does not trigger an alarm when there is actually no problem at all,
so-called false positive responses. Continuous false positives can
lead system administrators to ignore alarms, even when there may
in fact be an attack in progress.

test ground for virus throttling

To test the technology the research team has to use 'live' viruses
and worms to see how they spread between computers, without a throttle
and then with one in place. So to make sure that a worm -- Nimda
is being used at the moment -- cannot escape to HP's
network the researchers are using a secure cyber disease control
lab.

Only five people on HP's
Bristol site have access to the lab, which is constantly scanned
by security cameras, and none of the test computers are connected
to external networks.

The group, Twycross explained, "is involved in running tests
on the throttle using a specially developed test worm that is able
to emulate different types of malicious attack."

The research is promising even though it's at an early stage. "We
have a number of ideas and new approaches to take it further,"
Williamson says.